b' FEDERAL ELECTION COMMISSION \n\n\n  OFFICE OF INSPECTOR GENERAL \n\n\n\n\n\n            FINAL REPORT \n\n\nAudit of the Federal Election Commission\xe2\x80\x99s \n\n  Fiscal Year 2007 Financial Statements \n\n\n\n\n\n             November 2007 \n\n\n        ASSIGNMENT No. OIG-07-01 \n\n\x0c                           Table of Contents\n\nTransmittal Memorandum\n\n\nIndependent Auditor\xe2\x80\x99s Report\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa61\n\nIndependent Auditor\xe2\x80\x99s Report on Compliance and Other Matters.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa63\n\nIndependent Auditor\xe2\x80\x99s Report on Internal Control\xe2\x80\xa6 \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa64\n\x0c\x0ccosts in its statement of net cost, the present opinion on the FY 2006 financial statements\nis different from that expressed in the previous report.\n\nReport on Internal Control\nCG-LLP\'s planning and performance of the audit included consideration of the FEC\'s\ninternal control over financial reporting as a basis for designing audit procedures for the\npurpose of expressing an opinion on the financial statements and to comply with OMB\nBulletin 07-04. The auditors did not test all internal controls relevant to operating\neffectiveness, such as those controls relevant to ensuring efficient operations, and\nconsequently CG-LLP did not express an opinion on the agency\'s internal control over\nfinancial reporting.\n\nThe American Institute of Certified Public Accountants (AICPA) established standards\non communicating deficiencies related to an entity\'s internal control over financial\nreporting identified by the auditors. As defined by the AICPA, a control deficiency exists\nwhen the design or operation of a control does not allow the agency\'s management or its\nemployees, in the normal course of performing their assigned duties, to prevent or detect\nmisstatements on a timely basis.\n\nAuditors determine whether an internal control deficiency is a significant deficiency or a\nmaterial weakness based on the factors of likelihood and magnitude. A significant\ndeficiency is a control deficiency, or combination of control deficiencies, that adversely\naffect the agency\'s ability to initiate, authorize, record, process, or report financial data\nreliability in accordance with generally accepted accounting principles such that there is\nmore than a remote likelihood that a misstatement of the agency\'s financial statements\nthat is more than inconsequential will not be prevented or detected by the agency\'s\ninternal control. A material weakness is a significant deficiency, or combination of\nsignificant deficiencies, that results in more than a remote likelihood that a material\nmisstatement of the financial statements will not be prevented or detected by the agency\'s\ninternal controls.\n\nCG-LLP identified a significant deficiency in the area of:\n                 Information Technology (IT)\n\nCG-LLP identified a material weakness in the area of:\n                 Integrated Financial Management System\n\nReport on Compliance and Other Matters\nFEC management is responsible for complying with laws and regulations applicable to\nthe agency. To obtain reasonable assurance about whether the FEC\'s financial\nstatements are free of material misstatements, CG-LLP performed tests of compliance\nwith certain provisions of laws and regulations, non-compliance with which could have a\ndirect and material effect on the determination of financial statement amounts, and\ncertain laws and regulations specified in OMB Bulletin No. 07-04, such as the Anti-\nDeficiency Act and the Prompt Payment Act.\n\x0cThe results of CG-LLP\'s tests of compliance with laws and regulations described in the\naudit report disclosed no instances of noncompliance with the laws and regulations that\nare required to be reported under Government Auditing Standards and ONIB Bulletin No.\n07-04.\n\nAudit Follow-up\nThe report on internal control contains recommendations to address weaknesses found by\nthe auditors. Management was provided a draft copy of the audit report for comment and\ngenerally concurred with the findings and recommendations. In accordance with OMB\nCircular No. A-50, Audit Followup, revised, the FEC\'s corrective action plan is to set\nforth the specific action planned to implement the recommendations and the schedule for\nimplementation. The Commission has designated the Chef Financial Officer to be the\naudit follow-up official for the financial statement audit.\n\nOIG Evaluation of Clifton Gunderson LLP\'s Audit Performance\nIn connection with the OIG\'s contract with CG-LLP, we reviewed CG-LLP\'s report and\nrelated documentation and inquired of its representatives. The OIG\'s review, as\ndifferentiated from an audit in accordance with U.S. generally accepted government\nauditing standards (GAGAS), was not intended to enable us to express, and we do not\nexpress, opinions on the FEC\'s financial statements or internal control or on the FEC\'s\ncompliance with laws and regulations. CG LLP is responsible for the attached auditor\'s\nreport and the conclusions expressed in the report. However, the OIG review disclosed no\ninstances where CG-LLP did not comply, in all material respects, with GAGAS.\n\nWe appreciate the courtesies and cooperation extended to Clifton Gunderson LLP and the\nOIG staff during the audit. If you should have any questions concerning these reports,\nplease contact my office on (202) 694-10 15.\n\n\n\n\n                                                   ~    p A. McFarland\n                                                             ~ k\n                                                   Inspector General\n\nAttachments\n\nCc:    Chief Financial Officer\n       Staff Director\n       General Counsel\n       Chief Information Officer\n       Accounting Officer\n\x0c                                    Independent Auditor\xe2\x80\x99s Report\n\n\nTo the Inspector General of the\n Federal Election Commission\n\n\nWe have audited the balance sheets of the Federal Election Commission (FEC) as of\nSeptember 30, 2007 (FY 2007) and 2006 (FY 2006), and the related statements of net cost,\nchanges in net position, budgetary resources, and custodial activity for the years then ended\n(hereinafter collectively referred to as the \xe2\x80\x9cfinancial statements\xe2\x80\x9d). These financial statements are\nthe responsibility of the FEC\xe2\x80\x99s management. Our responsibility is to express an opinion on these\nfinancial statements based on our audits\n\nWe conducted our audits in accordance with auditing standards generally accepted in the United\nStates of America; the standards applicable to financial audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and applicable provisions of\nOffice of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal\nFinancial Statements. Those standards require that we plan and perform the audit to obtain\nreasonable assurance about whether the financial statements are free of material misstatement.\nAn audit includes examining, on a test basis, evidence supporting the amounts and disclosures in\nthe financial statements. An audit also includes assessing the accounting principles used and\nsignificant estimates made by management, as well as evaluating the overall financial\nstatements\xe2\x80\x99 presentation. We believe our audits provide a reasonable basis for our opinion.\n\nIn our opinion, the financial statements referred to above present fairly, in all material respects,\nthe financial position of the FEC as of September 30, 2007 and 2006, and its net cost, changes in\nnet position, budgetary resources, and custodial activity for the years then ended in conformity\nwith accounting principles generally accepted in the United States of America.\n\nIn our report dated November 7, 2006, we expressed a qualified opinion on the FY 2006\nstatement of net cost because we were not able to obtain sufficient competent audit evidence to\nsupport the allocation of program costs. As described in Note 1, FEC has changed the\npresentation of program costs in its statement of net cost. Accordingly, our present opinion on\nthe FY 2006 financial statements, as presented herein, is different from that expressed in our\nprevious report.\n\nIn accordance with Government Auditing Standards, we have also issued our reports dated\nNovember 13, 2007 on our consideration of the FEC\xe2\x80\x99s internal control over financial reporting,\nand on our tests of the FEC\xe2\x80\x99s compliance with certain provisions of laws and regulations and\nother matters. The purpose of those reports is to describe the scope of our testing of internal\n\n\n11710 Beltsville Drive, Suite 300\nCalverton, Maryland 20705-3106\ntel: 301-931-2050                                  1 of 20\nfax: 301-931-1710\n                                     Offices in 17 states and Washington, DC\nwww.cliftoncpa.com\n\x0ccontrol over financial reporting and compliance and the results of that testing, and not to provide\nan opinion on the internal control over financial reporting or on compliance. Those reports are\nan integral part of our audit performed in accordance with Government Auditing Standards and\nshould be considered in assessing the results of our audit.\n\nThe information in the Management Discussion and Analysis section is not a required part of the\nconsolidated financial statements, but is supplementary information required by U.S. generally\naccepted accounting principles and OMB Circular No. A-136, Financial Reporting\nRequirements. We have applied certain limited procedures, which consisted principally of\ninquiries of management regarding the methods of measurement and presentation of this\ninformation. However, we did not audit this information and, accordingly, we express no opinion\non it.\n\nOur audits were conducted for the purpose of forming an opinion on the consolidated financial\nstatements taken as a whole. The information in the Message from The Chairman, Performance\nSection, and Other Accompanying Information is presented for purposes of additional analysis\nand is not required as part of the consolidated financial statements. This information has not\nbeen subjected to auditing procedures and, accordingly, we express no opinion on it.\n\n\n\n\nCalverton, Maryland \n\nNovember 13, 2007\n\n\n\n\n\n                                             2 of 20\n\x0c                   Independent Auditor\xe2\x80\x99s Report on Compliance and Other Matters\n\n\nTo the Inspector General of the\n Federal Election Commission\n\nWe have audited the financial statements of the Federal Election Commission (FEC) as of, and\nfor the year ended September 30, 2007, and have issued our report thereon dated\nNovember 13, 2007. We conducted our audit in accordance with the auditing standards\ngenerally accepted in the United States of America; the standards applicable to financial audits\ncontained in Government Auditing Standards, issued by the Comptroller General of the United\nStates; and, applicable provisions of Office of Management and Budget (OMB) Bulletin 07-04,\nAudit Requirements for Federal Financial Statements.\n\nThe management of FEC is responsible for complying with laws and regulations applicable to\nFEC. As part of obtaining reasonable assurance about whether FEC\xe2\x80\x99s financial statements are\nfree of material misstatements, we performed tests of FEC\xe2\x80\x99s compliance with certain provisions\nof laws and regulations, non-compliance with which could have a direct and material effect on\nthe determination of financial statement amounts and certain other laws and regulations specified\nin OMB Bulletin 07-04. We limited our tests of compliance to these provisions and we did not\ntest compliance with all laws and regulations applicable to FEC. Providing an opinion on\ncompliance with certain provisions of laws and regulations was not an objective of our audit,\nand, accordingly, we do not express such an opinion.\n\nThe results of our tests of compliance with laws and regulations described in the preceding\nparagraph disclosed no instances of reportable noncompliance or other matters that are required\nto be reported under U.S. generally accepted Government Auditing Standards or OMB Bulletin\nNo. 07-04.\n\nThis report is intended solely for the information and use of the management of FEC, FEC\nOffice of Inspector General, Government Accountability Office, OMB and Congress, and is not\nintended to be and should not be used by anyone other than these specified parties.\n\n\n\n\nCalverton, Maryland \n\nNovember 13, 2007 \n\n\n\n\n11710 Beltsville Drive, Suite 300\nCalverton, Maryland 20705-3106                    3 of 20\ntel: 301-931-2050\nfax: 301-931-1710\n                                    Offices in 17 states and Washington, DC\nwww.cliftoncpa.com\n\x0c                                Independent Auditor\xe2\x80\x99s Report on Internal Control\n\n\nTo the Inspector General of the\n   Federal Election Commission\n\nWe have audited the financial statements of the Federal Election Commission (FEC) as of and\nfor the year ended September 30, 2007 and have issued our report thereon dated\nNovember 13, 2007. We conducted our audit in accordance with the auditing standards\ngenerally accepted in the United States of America; the standards applicable to financial audits\ncontained in Government Auditing Standards, issued by the Comptroller General of the United\nStates; and, applicable provisions of Office of Management and Budget (OMB) Bulletin No.\n07-04, Audit Requirements for Federal Financial Statements.\n\nIn planning and performing our audit, we considered FEC\xe2\x80\x99s internal control over financial\nreporting as a basis for designing our audit procedures for the purpose of expressing our opinion\non the financial statements and to comply with OMB Bulletin 07-04, but not for the purpose of\nexpressing an opinion on the effectiveness of FEC\xe2\x80\x99s internal control over financial reporting.\nWe did not test all internal controls relevant to operating effectiveness as broadly defined by the\nFederal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) (31 U.S.C. 3512), such as those controls\nrelevant to ensuring efficient operations. Accordingly, we do not express an opinion on the\neffectiveness of FEC\xe2\x80\x99s internal control over financial reporting.\n\nOur consideration of internal control over financial reporting was for the limited purpose\ndescribed in the preceding paragraph and would not necessarily identify all deficiencies in\ninternal control over financial reporting that might be significant deficiencies or material\nweaknesses. As discussed below, we identified certain deficiencies in internal control over\nfinancial reporting that we consider to be significant deficiencies.\n\nA control deficiency exists when the design or operation of a control does not allow management\nor employees, in the normal course of performing their assigned functions, to prevent or detect\nmisstatements on a timely basis. A significant deficiency is a control deficiency, or combination\nof control deficiencies, that adversely affect the entity\xe2\x80\x99s ability to initiate, authorize, record,\nprocess, or report financial data reliability in accordance with generally accepted accounting\nprinciples such that there is more than a remote likelihood that a misstatement of the entity\xe2\x80\x99s\nfinancial statements that is more than inconsequential will not be prevented or detected by the\nentity\xe2\x80\x99s internal control.\n\nA material weakness is a significant deficiency, or combination of significant deficiencies, that\nresults in more than a remote likelihood that a material misstatement of the financial statements\nwill not be prevented or detected by the entity\xe2\x80\x99s internal controls.\n\n11710 Beltsville Drive, Suite 300\nCalverton, Maryland 20705-3106\ntel: 301-931-2050\nfax: 301-931-1710                                    Page 4 of 20\nwww.cliftoncpa.com                          Offices in 17 states and Washington, DC\n\x0cOur consideration of the internal control over financial reporting was for the limited purpose\ndescribed in the second paragraph of this section and would not necessarily identify all\ndeficiencies in the internal control that might be significant deficiencies and, accordingly, would\nnot necessarily disclose all significant deficiencies that are also considered to be material\nweakness. However, we believe that the significant deficiency in Integrated Financial\nManagement System described below is a material weakness.\n\nFinally, with respect to internal control related to performance measures reported in the FEC\xe2\x80\x99s\nPerformance and Accountability Report as of September 30, 2007, we obtained an understanding\nof the design of significant internal controls relating to the existence and completeness\nassertions, as required by OMB Bulletin 07-04. Our procedures were not designed to provide\nassurance on internal control over reported performance measures, and, accordingly, we do not\nprovide an opinion on such controls.\n\n                          *************************************\n\nMATERIAL WEAKNESS\n\nI.   Integrated Financial Management System (Modified Repeat Finding)\n\n     A single, integrated financial management system is a unified set of financial systems\n     linked together electronically in an efficient and effective manner to provide agency-wide\n     financial management support. An integrated system should maintain an interrelationship\n     between software, hardware, personnel, procedures, controls and data contained within the\n     systems which allows users to obtain necessary information efficiently and effectively\n     through electronic means. It does not necessarily mean having only one software\n     application covering all financial management needs within an agency. Interfaces are\n     acceptable as long as the supporting details are maintained and accessible to managers.\n     Interface linkages must be electronic unless the number of transactions is so small that it is\n     not cost beneficial to automate the interface. Easy reconciliation between systems, where\n     interface linkage is appropriate, must be maintained to ensure data accuracy.\n\n     The FEC does not have an integrated financial management system. Its general ledger and\n     core financial management system are housed in PeopleSoft (PS). However, significant\n     financial activity, such as Obligations, Revenue, Accounts Receivable, Property, Plant and\n     Equipment (PPE) and payroll transactions, originate outside of PS. Of these transactions,\n     only the Payroll activity processed through the National Finance Center\xe2\x80\x99s (NFC) payroll\n     system is automatically interfaced with the FEC\xe2\x80\x99s core financial system. Obligations,\n     Revenue, Account Receivable and Property transactions are recorded in subsidiary\n     schedules maintained in multiple excel spreadsheets and then manually posted to the\n     general ledger. These spreadsheets support the flow of transactions throughout the year.\n\n     As a result of a lack of an integrated system, FEC goes through a process of compiling\n     financial data in separate spreadsheets in a complex and time-consuming process to\n     generate the financial statements. Although FEC reviews these spreadsheets, the risks of\n\n\n\n\n                                           Page 5 of 20\n\x0cerror increase due to the inherent risk and limitations of a spreadsheet based application in\nan agency\xe2\x80\x99s financial management system. Some of these risks include:\n\xe2\x80\xa2\t Substantial manual intervention is necessary, thereby increasing the risk of human error\n    not being detected.\n\xe2\x80\xa2\t Difficulty in tracking changes made to spreadsheets, including formula changes,\n    preventing an adequate audit trail.\n\xe2\x80\xa2\t Difficulty in verifying change controls and error correction changes made.\n\xe2\x80\xa2\t Unique, new or non-recurring transactions are difficult to incorporate.\n\xe2\x80\xa2\t Difficulty in performing automatic checks and balances on the transactions in the\n    spreadsheets.\n\xe2\x80\xa2\t Delay in recording transactions in the general ledger.\n\xe2\x80\xa2\t Increase in the use of journal vouchers as a means for posting transactions to the\n    general ledger.\n\xe2\x80\xa2\t Substantial resources are spent processing transactions resulting in fewer resources for\n    financial analysis and reporting.\n\nThese risks for errors were substantiated through our audit testing that identified the\nfollowing control deficiencies:\n\xe2\x80\xa2\t Accounting entries posted to the general ledger were not always sufficiently\n    documented or documentation to support the entries was not always properly\n    maintained.\n\xe2\x80\xa2\t Accrued expenses reported on the June 30, 2007 financial statements were misstated\n    due to a posting error.\n\xe2\x80\xa2\t The change in gross accounts receivable transactions were not recorded in the interim\n    statements of custodial activity (March 2007 and June 2007).\n\xe2\x80\xa2\t Multiple budgetary accounting related issues occurred resulting in:\n    o\t The Recoveries of Prior Year Obligations and Obligations Incurred line items of the\n        June 30, 2007 and September 30, 2007 draft financial statements being misstated.\n        The reconciliation between the fourth quarter SF-133 and Statement of Budgetary\n        Resources (SBR) as of September 30, 2007 was performed using incorrect SF-133\n        data. Accordingly, the reconciliation did not reveal significant adjustments needed\n        to the SBR and related financial statements, including a routine year-end adjusting\n        entry of cancelling the 2002 fund.\n    o\t FEC has not established the posting logic prescribed by Treasury for recording\n        budget authority received under a continuing resolution. Furthermore, the FEC did\n        not record apportionments in accordance will OMB Circular No. A-11,\n        Preparation, Submission and Execution of the Budget. Specifically, FEC recorded\n        the entire requested appropriation of $54 million as budget authority in February\n        2007 even though the entire budget authority did not become available until April\n        2007. The incorrect entries increased the risk that the system\xe2\x80\x99s fund control may not\n        have been effective, increasing the possibility that funds could have been\n        obligated/expended in a manner that could have caused a violation of the Anti-\n        Deficiency Act.\n\xe2\x80\xa2\t FEC\xe2\x80\x99s obligating documents contained errors or were inconsistent with supporting\n    documentation; thereby increasing the risk for disbursements to be applied to the\n\n\n\n                                     Page 6 of 20\n\x0c   incorrect appropriation account or obligation. Specifically, we noted 2 out of 45\n   disbursements that were applied to the incorrect appropriation account.\n\xe2\x80\xa2\t FEC did not prepare and submit to OMB an analysis of significant financial statement\n   line item fluctuations between March 31, 2006 and March 31, 2007. Moreover, our\n   review of the analyses performed in subsequent reporting quarters showed that the\n   analyses were not performed timely and/or were not complete.\n\xe2\x80\xa2\t FEC did not complete the Statement of Budgetary Resources (SBR) reconciliation to\n   SF-133 Report on Budget Execution and Budgetary Resources for the quarters ending\n   December 31, 2006, March 31, 2007 and June 30, 2007 as required by OMB Circular\n   A-136.\n\nFEC is aware of these risks and the need for an integrated financial management system.\nAccordingly, they plan to migrate a significant portion of their accounting function to the\nGeneral Services Administration (GSA) during fiscal year 2008. In preparation for the\nmigration, FEC is working with GSA to determine the feasibility of linking external\nsystems not yet integrated to PeopleSoft.\n\nRecommendations:\n\n1.\t Assess the extent of financial management system integration needed for existing\n    systems while outsourcing the accounting operations to a third party service provider.\n\n2.\t Implement control activities to compensate for the lack of an integrated financial\n    management system and to ensure that accounting transactions are recorded correctly,\n    timely, reviewed, and with adequate supporting documentation. Some of these control\n    activities should include, but not limited to:\n    \xe2\x80\xa2\t Improving preparation and review of procurement documents, including purchase\n        requests, purchase orders/contracts, and related supporting documentation.\n    \xe2\x80\xa2\t Improving analytical and quality control review of journal vouchers, reconciliations\n        and the financial statements, including interim financial statement.\n    \xe2\x80\xa2\t Implementing proper and timely cut-off controls for processing transactions and in\n        preparing the financial statements to allow for management\xe2\x80\x99s timely analysis of\n        financial data and for audit purposes.\n    \xe2\x80\xa2\t Establish a timeline for timely receipt of completed accounts receivable schedules\n        by the finance office from the program offices.\n\n3.\t Ensure that the general ledger setup and posting model definitions are in compliance\n    with the latest transaction posting consistent with USSGL guidance and policies for\n    recording and classifying transactions.\n\n4.\t Provide employee training on procurement, appropriation law, budget execution, and\n    financial reporting requirements, as applicable, to ensure financial reporting and fund\n    control policies are consistently and accurately executed.\n\n5.\t Ensure that FEC complies with regulatory agencies\xe2\x80\x99 reporting requirements.\n\n\n\n                                    Page 7 of 20\n\x0c      Management Response:\n\n      Management generally concurs with the finding and recommendations. FEC management\n      is committed to resolving the issues noted and has begun to address the recommendations.\n      For example, FEC has entered into an agreement with GSA, an OMB-certified Line of\n      Business provider, for financial services. FEC management has also begun to identify\n      training opportunities for its staff to enhance awareness of sound financial management\n      practices. FEC management will develop a corrective action plan addressing issues\n      identified.\n\nSIGNIFICANT DEFICIENCY\n\nII.   Information Technology (IT) (Modified Repeat Finding)\n\n      A. Commission-Wide Security Administration\n\n         An entity-wide security program should be in place to establish a framework and\n         continuing cycle of activity to manage security risk, develop security policies, assign\n         responsibilities, and monitor the adequacy of computer security related controls.\n         Without a well-designed program, security controls may be inadequate; responsibilities\n         may be unclear, misunderstood, and improperly implemented; and controls may be\n         inconsistently applied. Such conditions may lead to insufficient protection of sensitive\n         or critical resources and disproportionately high expenditures for controls over low-risk\n         resources.\n\n         During our Fiscal Year 2007 review of FEC\xe2\x80\x99s security program, we noted that FEC\n         made progress in addressing prior years\xe2\x80\x99 findings, notably a contract was recently\n         awarded to conduct a risk assessment of FEC\xe2\x80\x99s major applications and general support\n         systems. The information obtained from this risk assessment will be used to adjust and\n         fully implement its information classification, certification and accreditation policies.\n\n         However, at the time of this review, FEC\xe2\x80\x99s existing security program revealed\n         weaknesses in controls that expose the FEC\xe2\x80\x99s financial management systems and data\n         to unauthorized access and/or modification. Security weaknesses noted included:\n         \xe2\x80\xa2\t Risk assessments have not been performed as part of FEC\xe2\x80\x99s overall strategy to\n             mitigate risks associated with its IT environment. (Repeat Finding)\n         \xe2\x80\xa2\t FEC has not fully implemented a framework of policies and standards to mitigate\n             risks associated with the management of its information resources. Although FEC\n             has implemented the majority of its information security policies, it has not fully\n             implemented all of the related procedures and standards. FEC has not finalized and\n             implemented an information classification policy, as well as its certification and\n             accreditation policy. (Repeat Finding)\n         \xe2\x80\xa2\t FEC has created security plans for all of its major applications and mission critical\n             general support systems. However, these security plans are not consistent with best\n             practices \xe2\x80\x9cRisk Management Cycle\xe2\x80\x9d, as they are not based on an assessment of the\n             risks to FEC systems. (Repeat Finding)\n\n\n                                          Page 8 of 20\n\x0c     \xe2\x80\xa2\t Major applications and mission critical general support systems have not been\n        certified and accredited to ensure that they are operating according to FEC\xe2\x80\x99s\n        security requirements. (Repeat Finding).\n     \xe2\x80\xa2\t FEC could not provide evidence to show that background investigations were\n        performed timely for 3 out of the 10 newly hired employees that we sampled (30%).\n        (New Finding).\n\n Recommendations:\n\n 6.\t Perform risk assessments, as part of FEC\xe2\x80\x99s overall strategy to mitigate risks associated\n     with its IT environment.\n\n 7.\t Finalize and implement FEC\xe2\x80\x99s information classification policy and certification and\n     accreditation policy along with any accompanying standards.\n\n 8.\t Incorporate the results of risk assessments into FEC security plans.\n\n 9.\t Certify and accredit all major applications and mission critical general support systems.\n\n 10. Refine procedures to ensure that all newly hired employees undergo the appropriate\n     background investigations commensurate with the risk level of their position. FEC\n     should also ensure these investigations are initiated within a reasonable time of\n     employment start date.\n\n Management Response:\n\n FEC agrees with the majority of elements within this finding and believes that conducting a\n comprehensive risk assessment is a prudent course of action and consistent with its Risk\n Management Policy. To that end, FEC has re-issued a previous \xe2\x80\x9cRequest for Proposal\xe2\x80\x9d\n (RFP). The contract was recently awarded to conduct a risk assessment of FEC\xe2\x80\x99s major\n applications and general support systems. The information obtained from this risk\n assessment will be utilized to adjust and fully implement its information classification, and\n certification and accreditation policies. The data sensitivity and criticality information\n obtained will be incorporated into the appropriate FEC system security plans. This risk\n assessment contract deliverables include a risk remediation plan and strategy. This\n remediation plan will be incorporated into the overall ITD Corrective Action Plan (CAP).\n\n The modified system security plans, risk assessment and the resulting risk remediation plan\n will be included as major components of the certification and accreditation package for\n senior management to analyze in its decision to provide either an Authorization To Operate\n (ATO) or an Interim Authorization To Operate (IATO).\n\nB.   Disaster Recovery and Continuity of Operations\n\n     Losing the capability to process and protect information maintained on FEC\xe2\x80\x99s computer\n     systems can significantly impact FEC\xe2\x80\x99s ability to accomplish its mission. The purpose\n\n\n                                      Page 9 of 20\n\x0c   of disaster recovery and continuity of operations controls is to ensure that, when\n   unexpected events occur, critical operations continue without interruption or critical\n   operations are promptly resumed.\n\n   To achieve this objective, FEC should have procedures in place to protect information\n   resources and minimize the risk of unplanned interruptions and a plan to recover critical\n   operations should interruptions occur. These plans should consider activities performed\n   at FEC\xe2\x80\x99s general support facilities (e.g. FEC\xe2\x80\x99s local area network, wide area network,\n   and telecommunications facilities), as well as the activities performed by users of\n   specific applications. To determine whether the disaster recovery plans will work as\n   intended, FEC should establish and periodically test the capability to perform its\n   functions in disaster simulation exercises.\n\n   Our review of the service continuity controls identified weaknesses that could affect\n   FEC\xe2\x80\x99s ability to respond to a disruption in business operations after a disaster or other\n   interruption. Details of the matter are as follows:\n\n   \xe2\x80\xa2\t FEC has not performed a business impact analysis (BIA) to formally identify and\n      prioritize all critical data and operations on its networks and the resources needed to\n      recover them if there was a major interruption or disaster. In addition, FEC has not\n      established emergency processing priorities that will help manage disaster situations\n      more effectively for the network. (Repeat Finding)\n   \xe2\x80\xa2\t FEC has not established an alternate processing site for its operations in the event of\n      a disaster. (Repeat Finding)\n   \xe2\x80\xa2\t FEC\xe2\x80\x99s contingency plan is not comprehensive, as it does not include steps for\n      recovering all FEC\xe2\x80\x99s major applications and mission critical general support\n      systems. Additionally, the plan does not prioritize resources or set a timeframe for\n      recovery. (Repeat Finding)\n   \xe2\x80\xa2\t FEC has not developed a continuity of operations plan (COOP) to support the\n      continuation of its core mission in the event of a disaster that renders FEC\xe2\x80\x99s\n      facilities unusable. (Repeat Finding)\n\nRecommendations:\n\n11. Perform a BIA to formally identify and prioritize all critical data and operations on\n    FEC\xe2\x80\x99s networks and the resources needed to recover them if there is a major\n    interruption or disaster.\n\n12. Establish an alternate processing site and incorporate the results of the BIA into the\n    contingency plan.\n\n13. Develop a comprehensive contingency plan that incorporates the results of the BIA and\n    includes the procedures and resources necessary to restore FEC systems in the event of\n    a disaster. Ensure emergency processing priorities are established to assist in managing\n    disaster situations, and ensure once developed, the plan is tested annually and updated\n    based on the results of these tests.\n\n\n                                    Page 10 of 20\n\x0c 14. Develop a COOP that addresses measures and procedures to follow in the event of a\n     long-term interruption.\n\n Management Response:\n\n FEC agrees that a formal BIA would be useful and recently awarded a contract to develop\n a comprehensive disaster recovery plan. A component of this contract is to assist FEC in\n formally identifying and prioritizing all critical data and operations on its networks and the\n resources needed to recover them in the event of a disaster. Determine gaps in current\n plans and strategies to close the identified gaps on a priority basis (i.e. risk, value derived,\n cost, time). The vender will then assist FEC with utilizing the data gleamed from this\n analysis to validate (and/or modify) its already established emergency processing\n priorities. FEC will ensure that all emergency processing priorities are prominently\n indicated in the resulting disaster recovery plan. The proposed plan will also include a\n testing plan and maintenance mechanism to ensure that the plan stays current.\n\n Two additional components of this contract are to identify and prioritize those resources\n needed to develop a COOP and define the requirements needed to establish an alternate\n processing site.\n\nC.   Logical Access, System Software and Change Management Controls\n\n     Achieving an adequate level of information protection is highly dependent upon\n     maintaining consistently effective access controls, system software and configuration\n     management controls. Access controls limit and monitor access to computer resources\n     (i.e., data files, application programs, and computer-related facilities and equipment) to\n     the extent necessary to provide reasonable assurance that these resources are protected\n     against waste, loss, unauthorized modification, disclosure, or misappropriation. Access\n     controls include logical controls, such as security software programs designed to\n     prevent or detect unauthorized access to sensitive files. Similarly, system software\n     controls limit and monitor access to powerful programs and sensitive files that control\n     computer processing and secure the application and data supported by the system, while\n     change and configuration controls ensure all programs and program modifications are\n     properly authorized, tested, and approved, and that access to and distribution of\n     programs is carefully controlled. Without proper controls, there is a risk that security\n     features could be inadvertently or deliberately omitted or "turned off" or that processing\n     irregularities or malicious code could be introduced.\n\n     Our testing of internal controls identified weaknesses related to the information\n     protection in FEC\xe2\x80\x99s information systems environment. These include FEC\xe2\x80\x99s midrange\n     computer systems (e.g. servers) and applications. Weaknesses noted include the\n     following:\n     \xe2\x80\xa2\t The PeopleSoft application is currently running on an Oracle Release 8i Relational\n         Database Management System that is no longer supported by the vendor.\n     \xe2\x80\xa2\t Audit trail parameters for the Oracle database that supports the PeopleSoft\n         application have not been set to ensure appropriate segregation of incompatible\n         security responsibility and to provide necessary management oversight. Although\n\n\n                                      Page 11 of 20\n\x0c      \xe2\x80\x98auditing\xe2\x80\x99 is activated, the audit and archive logs are written to database tables and\n      operating system logs respectively to which the database administrators (DBAs)\n      have full access. This implies that the DBAs have the capability to purge these logs\n      and remove possible evidence of database activity.\n   \xe2\x80\xa2\t FEC does not maintain documentation supporting timely approval and testing of\n      patches and software upgrades prior to being moved into production.\n   \xe2\x80\xa2\t The PeopleSoft application does not have built-in functionality to enforce FEC\xe2\x80\x99s\n      password policies. Furthermore, the mitigating controls implemented by FEC do\n      not address the following PeopleSoft weaknesses:\n      o\t PeopleSoft does not have an account lockout policy.\n      o\t PeopleSoft does not prevent users from using previous passwords.\n      o\t PeopleSoft does not have the ability to enforce strong password requirements.\n   \xe2\x80\xa2\t FEC does not properly monitor access to its networks, systems and physical facility:\n      o\t Six out of 10 separated employees still have active network accounts.\n      o\t Three out of 10 LAN accounts have not logged on for more than 90 days.\n      o\t One out of 10 LAN accounts has not changed its password in 180 days.\n      o\t Two out of 10 LAN accounts have not logged on for more than 90 days and\n          have not changed their passwords in 180 days.\n      o\t Access documentation is not maintained for system administrators and database\n          administrators. Additionally, administrator privileges are not periodically\n          reviewed for appropriateness. FEC\xe2\x80\x99s current policy is to grant employees\n          access based on their positions.          Only employees hired to perform\n          administrative functions are granted administrative access.\n\nRecommendations:\n\n15. Transfer processing to a service provider or update existing platform to vendor-\n    supported versions/releases.\n\nManagement Response:\n\nFEC has evaluated four approved agencies for a Line of Business (LOB) solution and\nselected the General Services Administration (GSA) as its service provider. FEC has\nfinalized its decision regarding moving its financial, human resources, travel services and\nprocurement activities to GSA\xe2\x80\x99s LOB by signing an Interagency Agreement. GSA\xe2\x80\x99s LOB\nsolution will replace the FEC PeopleSoft application thus eliminating the discrepancies\ndescribed in this finding.\n\n16. Write audit trails related to DBA activity to Operating Systems logs and limit DBA\xe2\x80\x99s\n    access to these logs.\n\nManagement Response:\n\nAlthough the FEC has a process in place to trace any and all (attempted and successful)\ntransactions which may occurs in its Oracle databases, it concurs that implementing\nadditional separation of duty controls will assist in eliminating the possibility that a\n\n\n                                   Page 12 of 20\n\x0cdatabase administrator could purge auditing logs to hide inappropriate actions. To this\nend, the FEC recently implemented a process whereby database administrators have been\nrestricted to read only access to Oracle audit log files.\n\n17. Maintain documentation to support the testing and approval of system software\n    changes.\n\nManagement Response:\n\nAlthough FEC believes its recently issued patch management standard is sufficient, the\nprocess of maintaining supporting documentation to support the standard can be improved.\nIn an effort to improve this process, the FEC will issue patch management standard\nreminders to its technical personnel. In addition, the FEC will add reviewing patch\nmanagement supporting documentation to its Security Review Policy to ensure that\nsupporting documentation is properly maintained.\n\n18. Develop additional mitigating controls to ensure that PeopleSoft passwords are in\n    agreement with FEC policy or ensure that if PeopleSoft processing is outsourced, the\n    third party maintains password controls that comply with FEC password policies.\n\nManagement Response:\n\nAlthough FEC has developed compensating controls to reduce the risk associated with this\nfinding, it concurs that the PeopleSoft application does not meet the requirements specified\nin FEC\xe2\x80\x99s Password Policy. With this in mind and understanding the limitations of the\ncurrent version of PeopleSoft utilized at FEC, the Password Policy is being amended to\nallow an exemption for the PeopleSoft application.\n\nIn addition, the FEC selection of GSA\xe2\x80\x99s LOB financial solution will replace the FEC\nPeopleSoft application thus eliminating the discrepancies described in this finding.\n\n19. Promptly terminate access to FEC resources for separated employees. P  \t rocedures\n    should be documented and implemented to coordinate separations between Human\n    Resources and IT management to ensure user accounts are immediately disabled upon\n    termination.\n\n20. Utilize access request forms that identify the user\xe2\x80\x99s access level to document user\n    access rights to all FEC systems and facilities. Additionally, FEC should periodically\n    review and recertify user access to ensure current access is commensurate with job\n    responsibilities.\n\nManagement Response:\n\nAlthough the FEC has a documented process in place to terminate FEC resources for\nseparated employees, it concurs that this process can be improved. To this end, the FEC\nrecently awarded a contract to develop and implement an automated HR New Personnel\nWorkflow Process.\n\n\n                                    Page 13 of 20\n\x0c      The New Personnel Workflow Process will include full time employees, interns, and\n     contractors and eliminate the discrepancies described in this finding. The new process will\n     track staff from the start of their employment at FEC to exit and allow managers to request\n     and document any changes in network and application access. This new process will\n     enable a higher degree of coordination between HR and ITD to ensure that user accounts\n     are disabled upon exiting per FEC policy. The new process will retain all historical\n     information regarding account creation, changes to access rights, system resources, and\n     termination information regarding a particular account.\n\nOTHER MATTER\n\nOMB Bulletin No. 07-04 requires that the auditor\xe2\x80\x99s report on internal control \xe2\x80\x9cidentify those\nmaterial weaknesses disclosed by the audit that were not reported in the reporting entity\xe2\x80\x99s\nFederal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) report.\xe2\x80\x9d The FEC\xe2\x80\x99s schedule of material\nweaknesses and non-conformances included in the Performance and Accountability Report did\nnot identify the material weakness noted in this report. We do not believe, however, that failure\nto report the material weaknesses in FMFIA constitutes a separate reportable condition or a\nmaterial weakness because different criteria are used by management and the auditors in\ndetermining material weaknesses.\n\nSTATUS OF PRIOR YEAR CONDITIONS\n\nWe have reviewed the status of the FEC\xe2\x80\x99s corrective actions with respect to the findings and\nrecommendations from the prior year\xe2\x80\x99s report on internal controls. We have attached Appendix\nA to our report that presents the status of prior year findings and recommendations.\n\n                            ********************************\n\nFEC\'s response to the material weakness and significant deficiency identified in our audit is\npresented within the body of our report. We did not audit the FEC\'s response and, accordingly,\nwe express no opinion on it.\n\nIn addition to the material weakness and significant deficiency described above, we noted certain\nmatters involving internal control and its operation that we reported to the management of the\nFEC in a separate letter dated November 13, 2007.\n\nThis report is intended solely for the information and use of the management of the FEC, the\nFEC Office of Inspector General, Government Accountability Office, the OMB, and the U.S.\nCongress, and is not intended to be and should not be used by anyone other than these specified\nparties.\n\n\n\n\nCalverton, Maryland \n\nNovember 13, 2007 \n\n\n\n                                         Page 14 of 20\n\x0c                                APPENDIX A \n\n                      FEDERAL ELECTION COMMISSION \n\n           STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS \n\n                              September 30, 2007 \n\n\n\n    PY\n            Condition/Audit                                                                          Current\n    Rec.                                              Recommendation\n                Area                                                                                 Status 1\n    No.\n                                            Material Weaknesses\nI. Program Cost Allocation\n   1     Cost Allocation      Revise the account lockout threshold in TRS to five                 Closed\n         Methodology          invalid attempts.\n   2     Cost Allocation      Establish written policies and procedures to ensure                 Closed\n         Methodology          that employees enter their time in the cost system\n                              timely and properly and the results are supported by\n                              source data which is reviewed and approved by\n                              management\n    3     Cost Allocation     Ensure correct and consistent application of the cost               Closed\n          Methodology         allocation process in accordance with the cost system\n                              user manual and conceptual design document.\n    4     Cost Allocation     Ensure errors in TRS causing the system to allocate                 Closed\n          Methodology         hours for the Information Division to the wrong\n                              program are resolved.\nII. General Property and Equipment\n    5     Property, Plant and Improve analytical and quality control review of                    Closed\n          Equipment           subsidiary schedules, journal vouchers and property\n                              reconciliation to ensure material errors and differences\n                              are identified and resolved timely.\n    6     Property, Plant     Use correct USSGL.                                                  Closed\n          and Equipment\n    7     Property, Plant     Develop a mechanism for reconciling individual                      Closed\n          and Equipment       property items in the property system to the bulk\n                              purchases recorded in the general ledger to ensure\n                              completeness of the property system records. Also,\n                              ensure that the property management system has\n                              complete information, such as bar code identification,\n                              serial number and location of the asset.\n    8     Property, Plant     Clearly document physical inventory procedures,                     Updated \xe2\x80\x93\n          and Equipment       results of the physical inventory, and the                          reported in\n                              reconciliation performed. Maintain the documentation                current year\n                              for audit trail and management review purposes.                     management\n                                                                                                  letter\n\n\n\n1\n Updated recommendation can be considered closed since a new recommendation has been proposed in current\nyear\xe2\x80\x99s Auditor\xe2\x80\x99s Report on Internal Control or management letter.\n\n\n                                              Page 15 of 20\n\x0c                              APPENDIX A \n\n                    FEDERAL ELECTION COMMISSION \n\n         STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS \n\n                            September 30, 2007 \n\n\n PY\n          Condition/Audit                                                                Current\n Rec.                                          Recommendation\n              Area                                                                       Status 1\n No.\n  9      Property, Plant     Establish a standard process, mechanism or policies to   Updated \xe2\x80\x93\n         and Equipment       ensure [offices and divisions] notify the Finance        reported in\n                             Office of the acquisition and disposition of property    current year\n                             assets.                                                  management\n                                                                                      letter.\n  10     Property, Plant     Perform a monthly analysis of property as part of the    Closed\n         and Equipment       monthly analysis of financial activities.\n                                    Reportable Conditions\nIII. Information Technology\n   11     Entity-Wide       Complete the documentation approval and                    Open \xe2\x80\x93\n          Security          implementation of an entity-wide security program          reported in\n                            plan.                                                      current year\n                                                                                       significant\n                                                                                       deficiency\n  12     Entity-Wide         Finalize and implement FEC\xe2\x80\x99s information                  Open \xe2\x80\x93\n         Security            classification policy and certification and accreditation reported in\n                             policy along with any accompanying standards.             current year\n                                                                                       significant\n                                                                                       deficiency\n  13     Entity-Wide         Perform risk assessments, as part of FEC\xe2\x80\x99s overall        Open \xe2\x80\x93\n         Security            strategy to mitigate risks associated with its IT         reported in\n                             environment.                                              current year\n                                                                                       significant\n                                                                                       deficiency\n\n  14     Entity-Wide         Incorporate the results of the risk assessments into     Open \xe2\x80\x93\n         Security            FEC\xe2\x80\x99s security plans.                                    reported in\n                                                                                      current year\n                                                                                      significant\n                                                                                      deficiency\n  15     Entity-Wide         Classify information resources in accordance with the    Open \xe2\x80\x93\n         Security            risk assessments.                                        reported in\n                                                                                      current year\n                                                                                      significant\n                                                                                      deficiency\n  16     Entity-Wide         Utilize corrective action plans for all reviews of       Closed\n         Security            security controls whether performed internally or by a\n                             third party.\n\n\n\n\n                                        Page 16 of 20\n\x0c                            APPENDIX A \n\n                  FEDERAL ELECTION COMMISSION \n\n       STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS \n\n                          September 30, 2007 \n\n\nPY\n       Condition/Audit                                                              Current\nRec.                                       Recommendation\n           Area                                                                     Status 1\nNo.\n 17    Entity-Wide       Ensure that corrective action plans identify the task to Closed\n       Security          be completed in addition to identifying the resources\n                         required to accomplish the elements of the plan, any\n                         milestones in meeting the tasks, and scheduled\n                         completion dates for the milestones.\n18     Entity-Wide       Certify and accredit all major applications and mission Open \xe2\x80\x93\n       Security          critical general support systems.                        reported in\n                                                                                  current year\n                                                                                  significant\n                                                                                  deficiency\n19     Contingency       Perform a BIA to formally identify and prioritize all    Open \xe2\x80\x93\n       Planning          critical data and operations on FEC\xe2\x80\x99s networks and the reported in\n                         resources needed to recover them if there is a major     current year\n                         interruption or disaster.                                significant\n                                                                                  deficiency\n20     Contingency       Ensure that emergency processing priorities are          Open \xe2\x80\x93\n       Planning          established to assist in managing disaster situations    reported in\n                         more effectively for the network and include business current year\n                         owners in the discussion to determine how much           significant\n                         backup data is needed on-hand to minimize the impact deficiency\n                         of a disaster.\n21     Contingency       Establish an alternative processing site for FEC\xe2\x80\x99s       Open \xe2\x80\x93\n       Planning          operations in the event of a disaster and ensure that an reported in\n                         operational mechanism exists to update the disclosure current year\n                         database in the event that FEC\xe2\x80\x99s database is             significant\n                         unavailable to replicate the disclosure database         deficiency\n                         resident at the off-site location.\n22     Contingency       Develop and document a comprehensive COOP of         Open \xe2\x80\x93\n       Planning          FEC\xe2\x80\x99s data centers, networks, and telecommunication  reported in\n                         facilities.                                          current year\n                                                                              significant\n                                                                              deficiency\n23     Contingency       Develop a COOP to support the continuation of FEC\xe2\x80\x99s Open \xe2\x80\x93\n       Planning          core mission in the event of a disaster that renders reported in\n                         FEC\xe2\x80\x99s facilities unusable.                           current year\n                                                                              significant\n                                                                              deficiency\n\n\n\n\n                                   Page 17 of 20\n\x0c                            APPENDIX A \n\n                  FEDERAL ELECTION COMMISSION \n\n       STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS \n\n                          September 30, 2007 \n\n\nPY\n       Condition/Audit                                                                Current\nRec.                                       Recommendation\n           Area                                                                       Status 1\nNo.\n 24    Controls to       Finalize and implement FEC\xe2\x80\x99s process to manually           Closed\n       Protect           review logs of users using budgetary overrides where\n       Information       the reviewer is an individual who does not have access\n                         to utilize the overrides.\n25     Controls to       Develop mitigating controls to ensure that PeopleSoft      Open \xe2\x80\x93\n       Protect           passwords are in agreement with FEC\xe2\x80\x99s policy or            reported in\n       Information       ensure that when PeopleSoft processing is outsourced,      current year\n                         the third-party maintains password controls that           significant\n                         comply with FEC\xe2\x80\x99s password policies.                       deficiency\n\n26     Controls to       Use access request forms that identify the user\xe2\x80\x99s          Closed\n       Protect           access level to document user access rights to all\n       Information       FEC\xe2\x80\x99s systems. Additionally, FEC should\n                         periodically review the appropriateness of access\n                         granted and recertify user access rights.\n27     Controls to       Investigate to determine a baseline level of auditing      Closed\n       Protect           that can be performed without causing a detrimental\n       Information       impact to the performance of the Oracle databases and\n                         the applications that they support.\n28     Controls to       Periodically review data center access and remove          Closed\n       Protect           unnecessary access rights.\n       Information\n29     Software          Implement formal policies and procedures for               Closed\n       Development and   managing system software changes.\n       Change Controls\n30     Software          Maintain documentation to support the testing and          Open \xe2\x80\x93\n       Development and   approval of system software changes.                       reported in\n       Change Controls                                                              current year\n                                                                                    significant\n                                                                                    deficiency\n31     Software          Complete the migration of financial processing to a        Open \xe2\x80\x93 FEC\n       Development and   third-party service provider and verify that the service   has plans to\n       Change Controls   provider is utilizing vendor supported system software     migrate to a\n                         version.                                                   third party\n                                                                                    service\n                                                                                    provider in\n                                                                                    FY 2008.\n\n\n\n\n                                    Page 18 of 20\n\x0c                               APPENDIX A \n\n                     FEDERAL ELECTION COMMISSION \n\n          STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS \n\n                             September 30, 2007 \n\n\n  PY\n           Condition/Audit                                                             Current\n Rec.                                         Recommendation\n                 Area                                                                  Status 1\n  No.\nIV. Integrated Financial Management System\n  32      Integrated        Evaluate the extent of systems integration needed for    Updated \xe2\x80\x93\n          Financial         existing systems when considering the outsourcing of     reported in\n          Management        the FEC\xe2\x80\x99s accounting services to a shared service        current year\n          System            provider.                                                material\n                                                                                     weakness\nV. Administrative Fines, Civil Penalties and Miscellaneous Receipts\n   33    Administrative      Implement policies and procedures for reviewing the     Closed\n         Fines, Civil        accounts receivable schedules for reasonableness and\n         Penalties and       accuracy prior to recording related account\n         Miscellaneous       transactions in the general ledger.\n         Receipts\n   34    Administrative      Formalize policies and procedures for performing        Updated \xe2\x80\x93\n         Fines, Civil        accounts receivable reconciliations. While developing   reported in\n         Penalties and       these procedures, the FEC should consider               current year\n         Miscellaneous       establishing a timeline for when the reconciliations    material\n         Receipts            should be finalized by the program offices and          weakness\n                             forwarded to the Finance Office.\n   35    Administrative      Document all the methodologies applied in calculating   Updated \xe2\x80\x93\n         Fines, Civil        allowances for uncollectible accounts. Periodically     reported in\n         Penalties and       review the methodologies against actual procedures      current year\n         Miscellaneous       performed and revise them as necessary.                 management\n         Receipts                                                                    letter\nVI. Controls Over Procurement and Disbursement Transactions\n   36    Procurement and Issue formal guidance for performing corrective action      Closed\n         Disbursement        when negative obligation balances occur. Procedures\n                             should describe the conditions when corrective action\n                             is needed, corrective actions to perform and the\n                             individuals responsible for resolving the error. The\n                             timely response and clear communication on\n                             corrective action should also be included in the\n                             procedures.\n   37    Procurement and Ensure documentation related to procurement and             Updated \xe2\x80\x93\n         Disbursement        disbursement actions are properly approved and          Reported in\n                             supported. Procurement policies and procedures          current year\n                             should be enhanced to document, completely and          management\n                             clearly, operating procedures for the procurement       letter\n                             cycle and should include procedures for documenting\n                             justification when exceptions are made to established\n                             procedures.\n\n\n\n                                        Page 19 of 20\n\x0c                            APPENDIX A \n\n                  FEDERAL ELECTION COMMISSION \n\n       STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS \n\n                          September 30, 2007 \n\n\nPY\n       Condition/Audit                                                            Current\nRec.                                      Recommendation\n           Area                                                                   Status 1\nNo.\n 38    Procurement and   Ensure reconciliations are consistently performed,     Closed\n       Disbursement      reviewed and approved in a timely manner.\n39     Audit Follow-up   Formalized the remediation process related to audit    Updated \xe2\x80\x93\n                         findings and recommendations that is consistent with   reported in\n                         OMB Circular A-50 guidelines.                          current year\n                                                                                management\n                                                                                letter\n\n\n\n\n                                   Page 20 of 20\n\x0c'